IMA Diligence Services’ notification of more than 525,000 affected individuals is a useful reminder that “legacy” infrastructure does not become low-risk just because it is old, outsourced, or scheduled for retirement. According to Comparitech, the financial due-diligence firm reported that an unauthorized actor accessed files on a legacy server hosted by a third party, with exposed data including Social Security numbers, financial information, and medical information.
Comparitech also reported that the Genesis ransomware group claimed responsibility for the intrusion in January 2026 and said it stole roughly 700 GB of data. IMA’s public notice, as summarized by Comparitech, does not confirm the ransomware group’s claim or explain the initial access method, but the pattern is familiar: attackers find a neglected system, take data with leverage value, and turn a single server exposure into a large notification event.
Why this matters for SMBs and government contractors
Financial-services and professional-services environments often hold sensitive client packets, diligence materials, identity documents, health-related records, loan files, and transaction data. For a government contractor, the same risk can show up in subcontractor portals, document staging systems, old file-transfer servers, archived bid materials, or third-party hosted collaboration tools.
The defensive lesson is not just “patch more.” The bigger issue is ownership. Legacy servers frequently fall between teams: the vendor hosts it, the business still depends on it, security does not have full telemetry, and nobody wants to break an aging workflow. That gap is exactly where ransomware operators and data-extortion crews win.
Defensive takeaways
- Inventory third-party hosted systems like internal assets. Track owner, purpose, data types, authentication method, exposure, logging, and retirement date.
- Treat decommissioning as a security control. If a server is “legacy,” assign a deadline, migrate the data, validate backups, and remove external access instead of letting it linger.
- Map sensitive data before an incident. Know where SSNs, medical information, financial records, contracts, and diligence files live so breach impact is not discovered during notification drafting.
- Require logs and incident cooperation from vendors. Contracts should specify retention, alerting, evidence preservation, and notification timelines for hosted systems.
- Monitor for data-staging behavior. Large archive creation, unusual compression tools, outbound transfers, and access outside normal business patterns are often visible before extortion begins.
- Review access on old file servers. Disable stale accounts, enforce MFA where possible, remove broad shared credentials, and restrict administrative access to trusted networks.
Bulwark Black assessment
This incident fits a broader pattern: attackers do not need to compromise the newest cloud platform if an older hosted system already contains high-value records. For small businesses, financial firms, and government contractors, legacy infrastructure should be reviewed with the same seriousness as active production systems—especially when it stores regulated or client-sensitive data.
The practical move is to build a short “legacy and third-party systems” register, rank each system by data sensitivity and internet exposure, and close the riskiest gaps first. If a system cannot be monitored, patched, or owned, it should be isolated or retired.
Source: Comparitech — Finance firm IMA warns 525,000+ people of data breach.
